The Risk Inquiry Service (RIS) joins device data provided from the data collector process with the customer order data sent from the merchant. Once the device data and the order data are combined, RIS evaluates and scores each transaction. After the evaluation, RIS returns a response string back to the merchant to be used by the merchant to approve, decline, or hold the order for review. Each transaction continues to be evaluated and dynamically scored for up to fourteen days. The following section describes how to implement the RIS.
-
Customer initiates purchase.
-
Merchant initiates RIS request to Equifax via HTTPS URL encoded post.
-
Equifax evaluates transaction.
-
Equifax returns evaluation response to merchant.
-
Notification is displayed to customer.
Equifax supports multiple payment types and depending upon the payment type chosen by the customer certain payment tokens are required. If the PayPal Payer ID or Google Pay Account ID is not sent in the inquiry mode, then it must be sent in the update mode related to the transaction otherwise the order details will not be displayed in the Agent Web Console (AWC).
Equifax can add arbitrary payment types rapidly to support an international market. To view the current list of supported payment types, go to Application Programming Interface (API) Endpoint.
Equifax allows a great deal of control over fraud management through a variety of methods including the risk score, rules to determine risk thresholds, VIP lists, and many others that are administered through the AWC. Equifax also provides the ability for interaction for some functions without the need of the AWC by utilizing the Event Notification System (ENS) and the API.
Specification guides for the ENS and API can be requested from your account manager or accessed in the API endpoints list.
When using the Kount SDK all credit card information, by default, uses the KHASH encryption method where the credit card information is irreversibly hashed prior to transmission from the merchant to Equifax.
When using the JAVA or .NET SDKs (due to the compiled nature of the languages) KHASH is the only option for payment encryption. JAVA or .NET environments must use a direct post (outside of the SDK) method if MASK encryption is chosen.
If not using the SDK the following encryption options are available.
Equifax proprietary hash used to hash the credit card number before passing it to Equifax. The hashing algorithm source code can be found in each one of the SDKs or can be requested from Equifax.
PTYP=CARD PENC=KHASH
Output - BIN + 14 alphanumeric characters
Example: 123456A12C34E56G7DFG
Ability to pass the first six and last four numbers of a credit card filled in with XXXs. PENC=MASK is only valid with PTYP=CARD
PTYP=CARD PENC=MASK
Output BIN + 10 capital “X” characters + Last 4 of credit card
Example: 123456XXXXXXXXXX7890
Note: The “X” characters must all be capital “X”. The above example value is just for purposes of illustration. The PTOK should be the same length as the original card number. You can use the card number with the first 6 and last 4 numerals present and the rest of the numbers in the card masked by “X”, but the number of characters must be the same as those of the actual card number.
RIS data posted to Equifax must be URL encoded and submitted as key-value pairs. Much of the work can be simplified by utilizing a Equifax-provided SDK, including URL encoding. Equifax provides an SDK for Java, .NET, PHP, Perl, and Mobile environments.
Recommendations regarding each development environment and their supported versions, configuration, logging, and paths are found in the README file located in the docs directory in each respective SDK.
Please read the documentation associated with each SDK.
-
Port 443 must be available to post and receive data from Equifax.
-
API Keys are used to authenticate the RIS HTTPS submission to Equifax – similar to a password. A single API Key will be used for RIS submissions, the key is not subject to expiration date and does not require re-issuance. To generate an API Key, navigate to the ADMIN tab and then API Keys. Refer to How to Authenticate the Risk Inquiry Service for additional information. Note: API Keys can only be used with Equifax version 0630 and newer.
-
SSL support is required for the RIS process. TLS version 1.2 is currently supported.
-
The session identifier created during the data collector process must be passed as the session identifier for the RIS transaction. This identifier must be unique for at least 30 days. If a single Session ID were to be used on multiple transactions, those transactions would link together and erroneously affect the persona information in the risk score.
-
RIS posts are limited to a total of 40,960 characters or bytes.
-
To utilize the various SDKs, several required static settings must be configured. Please refer to the README files included in each of the SDKs.
-
PHP settings.ini
-
.NET App.config
-
Python
-
Java All settings are included in inquiry
|
Data |
Size |
Description |
Example |
|
Merchant ID |
6 |
Six-digit identifier issued by Equifax. |
999999 |
|
COMPANY_SERVER_URL |
N/A |
HTTPS URL path to the company’s servers provided in boarding documentation from Equifax. |
|
|
LOGGER |
N/A |
Specifies which logger to use: SIMPLE or NOP. |
SIMPLE |
|
SIMPLE_LOG_LEVEL |
N/A |
If SIMPLE logging is enabled, it lists logging levels in order of decreasing severity: FATAL, ERROR, WARN, INFO, DEBUG |
WARN |
|
SIMPLE_LOG_FILE |
N/A |
Name of the log file for SIMPLE logging |
company-sdk-ris.log |
|
SIMPLE_LOG_PATH |
N/A |
Path to where log file will be written. (Must be a valid path) |
/some/path/to/log |
|
APIKEY |
Varies |
API Key value copied from clipboard – originating from API Key page within the AWC |
Alphanumeric hashed value provided by Equifax |
|
Client Certificate (deprecated field for legacy certificates) |
N/A |
Depending on the SDK environment certain client certificate information will be required. |
company-ris-certificate.p12 |